CVE-2016-20016
published 2022-10-19CVE-2016-20016: MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.29%
99.7th percentile
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mvpower | tv-7104he_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shell|3f|"; fast_pattern; startswith; pcre:"/^.*?(?:[\x3b\x7c\x24\x60]|\x2d{1,2}\w+(?:\x20|\x2520))/R"; reference:url,www.pentestpartners.com/security-blog/pwning-cctv-cameras/; reference:cve,2016-20016; classtype:web-application-attack; sid:2030092; rev:4; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, confidence Medium, signature_severity Major, updated_at 2025_04_07; target:dest_ip;)- →The vulnerable endpoint is /shell — any GET request to this URI path on the target device indicates exploitation attempt. The query string carries the OS command to execute. ↗
- →The HTTP response 'Server' header value 'JAWS' is a reliable fingerprint for identifying vulnerable MVPower DVR devices and exploitation traffic. ↗
- →Detection should focus on GET requests to URIs beginning with /shell? (URL-encoded as /shell|3f|) containing shell metacharacters: semicolon (0x3b), pipe (0x7c), dollar sign (0x24), backtick (0x60), or double-dash prefixed words (CLI flags), which indicate command injection payloads.
- →The vulnerability requires no authentication — any unauthenticated GET to /shell from external networks should be treated as a high-confidence attack attempt. ↗
- ·Multiple firmware versions spanning 2014–2019 are affected, not just the tested version 1.8.4 115215B9. Detection rules should not be scoped to a single firmware version. ↗
- ·The Metasploit module was only confirmed tested on TV-7104HE firmware 1.8.4 115215B9; TV-7108HE is reportedly affected but untested, so behavioral coverage may vary. ↗
- ·The Snort/Suricata rule (sid:2030092) carries only 'Medium' confidence metadata, meaning false positives are possible; tune accordingly in high-traffic environments.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4xh-2j8v-rpq8: MVPower CCTV DVR models, including TV-7104HE 1
ghsa_unreviewed·2022-10-19
CVE-2016-20016 [CRITICAL] CWE-78 GHSA-p4xh-2j8v-rpq8: MVPower CCTV DVR models, including TV-7104HE 1
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
VulnCheck
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
vulncheck·2016·CVSS 9.8
CVE-2016-20016 [CRITICAL] MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
Affected: mvpower tv-7104he_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Referen
Suricata
ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)
suricata·2020-05-04·CVSS 9.8
CVE-2016-20016 [CRITICAL] ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)
ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shell|3f|"; fast_pattern; startswith; pcre:"/^.*?(?:[\x3b\x7c\x24\x60]|\x2d{1,2}\w+(?:\x20|\x2520))/R"; reference:url,www.pentestpartners.com/security-blog/pwning-cctv-cameras/; reference:cve,2016-20016; classtype:web-application-attack; sid:2030092; rev:4; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, confidence Medium, signature_severity Ma
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Greynoiseio
GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?
blogs_greynoiseio·2025-02-27
GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/https://www.exploit-db.com/exploits/41471https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/https://www.exploit-db.com/exploits/41471https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/
2022-10-19
Published
Exploited in the wild